Credential-based access, typically using a combination of a username and a password, has a long history of use in secure access protocols. A user of an endpoint device seeking to access some remote resource provides credentials to an authentication server of the remote resource and, if accepted, is granted access to the remote resource. Increasingly, users are accessing remote resources through a third-party, and having the third-party make use of the remote resource on their behalf. For example, a user or an endpoint device may request that a third-party access an email server, and to do so the user device provides the third-party with the user's credentials.
However, in providing the third-party with their credentials via their endpoint device, the user now risks theft or exposure of their credentials. It is impossible for the user to know whether the third-party has deleted their credentials after using them to access the remote resource. If the third-party does not delete the user's credentials, then the third-party is a node at which the user's credentials may be acquired by a malicious actor, or may be exposed following a breach.
Therefore, there is room for improved techniques for delegating credentials to third-parties.